Azure Sentinel Community – the Shortlinks

Those that know me, know that I've had a very blessed professional career. As part of that, I've created, developed, and run some very significant communities over the past 20-plus years. I am a community person through-and-through, and as such, am always on the lookout for ways to foster customers' efforts to create and maintain … Continue reading Azure Sentinel Community – the Shortlinks

Azure Security Data Event Collection

This blog is focused on what Azure Security service is authoritative for managing the event collection settings. The two ways of selecting security events in Azure are Security center and Azure Sentinel, so what i discovered was event collection could be managed from either Sentinel or Security settings, and the chosen authoritative service would then … Continue reading Azure Security Data Event Collection

Resolving WindowsFirewall Log Ingestion Problems for Azure Sentinel

This problem has come up enough in the last month or so that its worth a quick-hit blog post to help folks resolve it. The problem: You enable the Windows Firewall Data Connector in Azure Sentinel, follow the directions, and make sure the Log Analytics agent is installed on the remote system - but the … Continue reading Resolving WindowsFirewall Log Ingestion Problems for Azure Sentinel

Azure Sentinel Daily Task: Data Connectors

This is part of a continuing series in relation to the Suggested Daily, Weekly, and Monthly Tasks for Azure Sentinel, which outlines tasks for security analysts. In this article, I’ll talk about investigating incidents as part of a daily regimen for an Azure Sentinel analyst. There’s deeper discussions and training that’s required to get a good … Continue reading Azure Sentinel Daily Task: Data Connectors

Azure Sentinel Daily Task: Analytics Rules

This is part of a continuing series in relation to the Suggested Daily, Weekly, and Monthly Tasks for Azure Sentinel, which outlines tasks for security analysts. In this article, I'll talk about investigating incidents as part of a daily regimen for an Azure Sentinel analyst. There's deeper discussions and training that's required to get a … Continue reading Azure Sentinel Daily Task: Analytics Rules

Multi-workspace View for Azure Sentinel Now in Public Preview

We've had a lot of interest from customers to be able to review multiple workspaces in Azure Sentinel. Prior to this release, this was only available through Azure Lighthouse or, alternatively, you could do cross-workspace KQL queries to view merged data. Now, with the multi-workspace view, you can select multiple workspaces as you enter into … Continue reading Multi-workspace View for Azure Sentinel Now in Public Preview

Tools and Resources to Practice Your Azure Sentinel KQL-fu

I teach a couple KQL courses focused on Azure Sentinel - one beginner and one more advanced. The beginner course (level 100-200), coupled with our KQL docs (aka.ms/KQLDocs), is usually enough though to get customers on the right path to learning the Kusto Query Language. Whenever I deliver an Azure Sentinel workshop, it's the moment … Continue reading Tools and Resources to Practice Your Azure Sentinel KQL-fu

Exporting Events from Disconnected Systems to Ingest into Azure Sentinel

I had the occasion recently to work with a customer that had domain controllers that were disconnected from the Internet, but still wanted to ingest the server event logs into Azure Sentinel. Sifting through research I found there's a myriad of ways to do it (including standing up a Log Analytics gateway) but one of … Continue reading Exporting Events from Disconnected Systems to Ingest into Azure Sentinel

Azure Sentinel Tip for Table Details and Descriptions

I wrote a recent article that talks about tips for doing Data Sampling for Azure Sentinel. Data Sampling is a method that allows the Sentinel Analyst to figure out where and what data exists in the Log Analytics workspace to help hone KQL queries to produce good data results. Read that here if you missed … Continue reading Azure Sentinel Tip for Table Details and Descriptions

Tips for KQL Data Sampling as part of Azure Sentinel Investigations

When you're working against the data ingested in your Azure Sentinel Log Analytics workspace, you sometimes don't know right away exactly where the data exists or even what data is available. For example, what if you simply want to figure out if 'zoom.exe' exists in your data store? A lot of times someone has already … Continue reading Tips for KQL Data Sampling as part of Azure Sentinel Investigations